CVE-2023-36814

Products.CMFCore are the key framework services for the Zope Content Management Framework (CMF). The use of Python's marshal module to handle unchecked input in a public method on PortalFolder objects can lead to an unauthenticated denial of service and crash situation. The code in question is exposed by all portal software built on top of Products.CMFCore, such as Plone. All deployments are vulnerable. The code has been fixed in Products.CMFCore version 3.2.

Published: Jul 3, 2023
Updated: May 9, 2024
CVE: CVE-2023-36814
GHSA: GHSA-4hpj-8rhv-9x87
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-770

Affected Software
References

Software	From	Fixed in
zope / products.cmfcore	-	3.2
Products.CMFCore	3.0	3.2
Products.CMFCore	-	2.7.1

https://github.com/pypa/advisory-database/tree/main/vulns/products-cmfcore/PYSEC-2023-113.yaml
https://github.com/zopefoundation/Products.CMFCore/commit/40f03f43a60f28ca9485c8ef429efef729be54e5
https://github.com/zopefoundation/Products.CMFCore/commit/c1847a9042abe7965271fa73762dfe091b576de
https://github.com/zopefoundation/Products.CMFCore/security/advisories/GHSA-4hpj-8rhv-9x87

Vulnerability Database

289,697

CVE-2023-36814